From 77945674a529238856d00901885a26fcd14c364a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 18 Mar 2024 14:31:01 +0000 Subject: [PATCH] feat(profile): general update. --- apparmor.d/groups/_full/systemd-user | 1 + apparmor.d/groups/bus/at-spi2-registryd | 1 + apparmor.d/groups/bus/dbus-session | 4 ++-- apparmor.d/groups/bus/dbus-system | 5 ++++- apparmor.d/groups/freedesktop/geoclue | 1 + apparmor.d/groups/freedesktop/plymouthd | 1 + apparmor.d/groups/kde/DiscoverNotifier | 6 ++++++ apparmor.d/groups/kde/drkonqi-coredump-processor | 5 +++++ apparmor.d/groups/kde/kconf_update | 2 +- .../groups/kde/kde-systemd-start-condition | 2 ++ apparmor.d/groups/kde/kscreenlocker-greet | 4 +++- apparmor.d/groups/kde/ksmserver-logout-greeter | 6 +++--- apparmor.d/groups/kde/kwin_wayland | 16 +++++++++++----- apparmor.d/groups/kde/systemsettings | 10 ++++++++-- apparmor.d/groups/kde/xdm-xsession | 4 ---- apparmor.d/groups/network/nm-dispatcher | 11 ++--------- apparmor.d/groups/systemd/systemd-cat | 1 + apparmor.d/groups/systemd/systemd-coredump | 1 + apparmor.d/profiles-a-f/blkid | 4 +++- apparmor.d/profiles-a-f/blueman | 13 ++++++------- apparmor.d/profiles-a-f/fwupd | 5 +++-- apparmor.d/profiles-m-r/packagekitd | 2 +- apparmor.d/profiles-m-r/pcscd | 1 + 23 files changed, 67 insertions(+), 39 deletions(-) diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 9b095c64..abc4deaa 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -46,6 +46,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{lib}/systemd/systemd-executor rix, @{sh_path} rix, # Should be handled by default profile? @{bin}/grep rix, + @{bin}/sleep rix, @{bin}/** Px, @{lib}/** Px, diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index 1b047f1f..a4df1755 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -13,6 +13,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include include include + include # dbus: own bus=accessibility name=org.a11y.atspi.{R,r}egistry dbus send bus=accessibility path=/org/a11y/atspi/accessible/root diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index bae0a24d..567d2c13 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -13,7 +13,7 @@ include @{exec_path} = @{bin}/dbus-run-session @{exec_path} += @{bin}/dbus-broker @{bin}/dbus-broker-launch -@{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1.0/dbus-daemon-launch-helper +@{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1{,.0}/dbus-daemon-launch-helper profile dbus-session flags=(attach_disconnected) { include include @@ -25,8 +25,8 @@ profile dbus-session flags=(attach_disconnected) { signal (receive) set=(term hup) peer=gdm-session, signal (receive) set=(term hup) peer=gdm, signal (send) set=(term hup kill) peer=dbus-accessibility, + signal (send) set=(term hup kill) peer=dconf-service, signal (send) set=(term hup kill) peer=xdg-permission-store, - signal (send) set=(hup) peer=dconf-service, dbus bus=session, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 55387709..72825bdb 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -12,9 +12,10 @@ abi , include @{exec_path} = @{bin}/dbus-broker @{bin}/dbus-broker-launch -@{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1.0/dbus-daemon-launch-helper +@{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1{,.0}/dbus-daemon-launch-helper profile dbus-system flags=(attach_disconnected) { include + include include include @@ -22,6 +23,7 @@ profile dbus-system flags=(attach_disconnected) { capability net_admin, capability setgid, capability setuid, + capability sys_resource, network netlink raw, network bluetooth stream, @@ -59,6 +61,7 @@ profile dbus-system flags=(attach_disconnected) { @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_score_adj rw, /dev/dri/card@{int} rw, /dev/input/event@{int} rw, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 46b0a2e4..0309a59b 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -36,6 +36,7 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/geoclue/{,**} r, + /etc/sysconfig/proxy r, /var/lib/nscd/services r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 3dcabc0d..d24b2cd1 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -13,6 +13,7 @@ profile plymouthd @{exec_path} { include capability checkpoint_restore, + capability dac_override, capability net_admin, capability sys_admin, capability sys_chroot, diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 9b1707e9..a8dbfab0 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -19,13 +19,19 @@ profile DiscoverNotifier @{exec_path} { @{exec_path} mr, + /usr/share/metainfo/{,**} r, + /etc/flatpak/remotes.d/ r, /var/lib/flatpak/repo/{,**} r, + owner @{user_cache_dirs}/appstream/ r, + owner @{user_cache_dirs}/appstream/** r, owner @{user_cache_dirs}/flatpak/{,**} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/PlasmaDiscoverUpdates r, + owner @{user_share_dirs}/flatpak/{,**} rw, @{PROC}/sys/kernel/core_pattern r, diff --git a/apparmor.d/groups/kde/drkonqi-coredump-processor b/apparmor.d/groups/kde/drkonqi-coredump-processor index 9caf95df..245838f7 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-processor +++ b/apparmor.d/groups/kde/drkonqi-coredump-processor @@ -9,13 +9,18 @@ include @{exec_path} = @{lib}/drkonqi-coredump-processor profile drkonqi-coredump-processor @{exec_path} { include + include @{exec_path} mr, /etc/machine-id r, + /usr/share/icu/@{int}.@{int}/*.dat r, + /{run,var}/log/journal/ r, /{run,var}/log/journal/@{md5}/ r, + /{run,var}/log/journal/@{md5}/system.journal r, + /{run,var}/log/journal/@{md5}/system@@{hex}.journal r, /{run,var}/log/journal/@{md5}/user-@{uid}.journal r, /{run,var}/log/journal/@{md5}/user-@{uid}@@{hex}.journal r, diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index 62fb490b..cd5e84f0 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -13,6 +13,7 @@ profile kconf_update @{exec_path} { include include include + include include include @@ -93,7 +94,6 @@ profile kconf_update @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, - @{PROC}/@{sys}/kernel/random/boot_id r, @{PROC}/tty/drivers r, @{PROC}/uptime r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/kde/kde-systemd-start-condition b/apparmor.d/groups/kde/kde-systemd-start-condition index 279e6929..ad91d990 100644 --- a/apparmor.d/groups/kde/kde-systemd-start-condition +++ b/apparmor.d/groups/kde/kde-systemd-start-condition @@ -12,6 +12,8 @@ profile kde-systemd-start-condition @{exec_path} { @{exec_path} mr, + /etc/xdg/baloofilerc r, + owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/plasma-welcomerc r, diff --git a/apparmor.d/groups/kde/kscreenlocker-greet b/apparmor.d/groups/kde/kscreenlocker-greet index 96b15583..875eccf1 100644 --- a/apparmor.d/groups/kde/kscreenlocker-greet +++ b/apparmor.d/groups/kde/kscreenlocker-greet @@ -74,10 +74,12 @@ profile kscreenlocker-greet @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kscreenlocker_greet/ w, owner @{user_cache_dirs}/kscreenlocker_greet/** rwl, + owner @{user_cache_dirs}/ksvg-elements r, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, + owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements-default_v* r, + owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasma-svgelements.lock rwk, - owner @{user_cache_dirs}/plasma-svgelements{,.@{rand6}} rwl, owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index 7fb15b46..b067603b 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -38,9 +38,9 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/#@{int} rwlk, owner @{user_cache_dirs}/kcrash-metadata/ r, owner @{user_cache_dirs}/ksmserver-logout-greeter/qmlcache/{,*} r, - owner @{user_cache_dirs}/plasma_theme_breeze-dark_v5.114.0.kcache rw, - owner @{user_cache_dirs}/plasma-svgelements r, - owner @{user_cache_dirs}/plasma-svgelements.@{rand6} l -> @{user_cache_dirs}/#@{int}, + owner @{user_cache_dirs}/plasma_theme_*.kcache rw, + owner @{user_cache_dirs}/plasma-svgelements rw, + owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasma-svgelements.lock rwk, owner @{user_config_dirs}/ r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 9444a5f0..2c0b24a8 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -40,15 +40,19 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,*.desktop} r, /usr/share/kwin/{,**} r, + /usr/share/libinput-*/{,**} r, /usr/share/libinput/{,**} r, - /usr/share/plasma/desktoptheme/default/** r, + /usr/share/pipewire/client.conf r, + /usr/share/plasma/desktoptheme/** r, /usr/share/qt/translations/*.qm r, /etc/machine-id r, - /etc/xdg/menus/{,applications.menu} r, /etc/pipewire/client.conf.d/ r, - /usr/share/pipewire/client.conf r, - + /etc/xdg/kscreenlockerrc r, + /etc/xdg/menus/{,applications.menu} r, + /etc/xdg/menus/applications-merged/ r, + /etc/xdg/plasmarc r, + owner /var/lib/sddm/.cache/#@{int} rwk, owner /var/lib/sddm/.cache/fontconfig/* rwk, owner /var/lib/sddm/.cache/fontconfig/*-le64.cache-@{int}{,TMP-@{rand6},NEW,LCK} w, @@ -70,7 +74,9 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/ksycoca{5,6}_* r, owner @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, - owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc rw, + owner @{user_cache_dirs}/kwin/ w, + owner @{user_cache_dirs}/kwin/qmlcache/ w, + owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc rwl, owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/kwin/qmlcache/#@{int}, owner @{user_cache_dirs}/kwin/qmlcache/#@{int} rw, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index b6b5c028..9cb8e8e9 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -20,23 +20,29 @@ profile systemsettings @{exec_path} { @{bin}/kcminit rPx, + /usr/share/kcm_networkmanagement/{,**} r, + /usr/share/kinfocenter/{,**} r, /usr/share/kpackage/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, /usr/share/kxmlgui5/systemsettings/systemsettingsui.rc r, /usr/share/plasma/{,**} r, - /usr/share/systemsettings/{,**} r, - /usr/share/kinfocenter/{,**} r, /usr/share/sddm/themes/{,**} r, + /usr/share/systemsettings/{,**} r, /etc/fstab r, /etc/machine-id r, /etc/xdg/menus/ r, /etc/xdg/ui/ui_standards.rc r, + owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kinfocenter/{,**} rwl, + owner @{user_cache_dirs}/ksvg-elements rw, + owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int}, + owner @{user_cache_dirs}/ksvg-elements.lock rwlk, owner @{user_cache_dirs}/ksycoca{5,6}_* r, + owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/systemsettings/ rw, owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**, diff --git a/apparmor.d/groups/kde/xdm-xsession b/apparmor.d/groups/kde/xdm-xsession index 5633bbfb..d1abd322 100644 --- a/apparmor.d/groups/kde/xdm-xsession +++ b/apparmor.d/groups/kde/xdm-xsession @@ -53,11 +53,9 @@ profile xdm-xsession @{exec_path} { @{HOME}/.xinitrc rPix, @{lib}/xinit/xinitrc rix, - /usr/share/bash-completion/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mc/mc.sh r, - @{etc_ro}/profile.d/{,*} r, @{etc_ro}/X11/xdm/scripts/{,*} r, @{etc_ro}/X11/xim r, @{etc_ro}/X11/xim.d/none r, @@ -71,8 +69,6 @@ profile xdm-xsession @{exec_path} { /etc/sysconfig/* r, owner @{HOME}/ r, - owner @{HOME}/.alias r, - owner @{HOME}/.i18n r, owner @{user_share_dirs}/sddm/xorg-session.log rw, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 249c96fe..285e24a1 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -70,22 +70,15 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { profile systemctl { include - include + include - @{bin}/systemctl mr, - - / r, + capability net_admin, @{etc_ro}/ r, @{etc_ro}/systemd/ r, @{etc_ro}/systemd/system/ r, @{etc_ro}/systemd/system/ntp.service r, - owner @{run}/systemd/private rw, - @{run}/utmp k, - - /dev r, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-cat b/apparmor.d/groups/systemd/systemd-cat index 0c485aac..3862a0c7 100644 --- a/apparmor.d/groups/systemd/systemd-cat +++ b/apparmor.d/groups/systemd/systemd-cat @@ -15,6 +15,7 @@ profile systemd-cat @{exec_path} { @{exec_path} mr, @{bin}/cat rix, + @{bin}/echo rix, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 25d5c0a8..e62e9bfa 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -36,6 +36,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted /opt/** r, /etc/systemd/coredump.conf r, + /etc/systemd/coredump.conf.d/{,**} r, /var/lib/systemd/coredump/{,**} rwl, diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/profiles-a-f/blkid index 66cd352e..fef77c18 100644 --- a/apparmor.d/profiles-a-f/blkid +++ b/apparmor.d/profiles-a-f/blkid @@ -32,10 +32,12 @@ profile blkid @{exec_path} flags=(attach_disconnected) { @{run}/blkid/blkid.tab{,-@{rand6}} rw, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, + @{run}/cloud-init/ds-identify.log w, # file_inherit + # For the EVALUATE=scan method @{PROC}/partitions r, - /dev/tty@{int} rw, + owner /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index 0acf21eb..e463f37b 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -11,6 +11,7 @@ include profile blueman @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -26,18 +27,16 @@ profile blueman @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=gjs-console, + # dbus: own bus=session name=org.blueman.Applet + # dbus: own bus=session name=org.blueman.Manager + @{exec_path} mrix, @{sh_path} rix, - - @{bin}/blueman-tray rPx, - @{open_path} rPx -> child-open, + @{open_path} rix, /usr/share/blueman/{,**} r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - /var/lib/blueman/network.state r, owner @{HOME}/ r, @@ -53,9 +52,9 @@ profile blueman @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/obexd/ rw, owner @{user_cache_dirs}/obexd/* rw, + @{PROC}/@{pids}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, - @{PROC}/@{pids}/cmdline r, /dev/dri/card@{int} rw, /dev/rfkill r, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index c49069bc..f28d08a1 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -133,9 +133,10 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { @{bin}/gpg{,2} mr, @{bin}/gpgconf mr, @{bin}/gpgsm mr, - @{bin}/gpg-agent mrix, - @{lib}/gnupg/scdaemon rix, + @{bin}/gpg-agent rix, + @{lib}/{,gnupg/}scdaemon rix, + owner /var/lib/fwupd/gnupg/ rw, owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 67ceca17..e10e0bd6 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -68,7 +68,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/fc-cache rPx, @{bin}/glib-compile-schemas rPx, @{bin}/install-info rPx, - @{bin}/rpmdb2solv rPx, # only: opensuse + @{bin}/rpmdb2solv rPUx, # only: opensuse @{bin}/systemd-inhibit rPx, @{bin}/update-desktop-database rPx, @{lib}/apt/methods/* rPx, # only: dpkg diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index 1e0d94b4..8c86ec7f 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -15,6 +15,7 @@ profile pcscd @{exec_path} { network netlink raw, + ptrace (read) peer=gsd-smartcard, ptrace (read) peer=pkcs11-register, ptrace (read) peer=rngd, ptrace (read) peer=scdaemon,